Top Trend #4: Ensuring security by design across device bootstrapping, encryption, and compliance

16th Feb 2023


The secure management of connected digital products and software is a critical concern for the enterprise. In recent years, a massive increase in cyberattacks on operational technology (OT) exemplifies the safety implications of poorly protected devices. The SolarWinds attack started the compliance and regulatory snowball for software supply chain security. The LOG4j vulnerability followed soon after and rubbed further salt into the wounds. Human fatalities result from cyber attacks. Experts such as Israeli cybersecurity specialist Cybellum assess that when hospital networks get breached, these incidents are kept private for brand reputation protection reasons.

With the proliferation of embedded devices and increasingly sophisticated cyber attacks, ensuring device security remains a critical objective for organizations. Devices must employ the highest level of security by integrating security into the ‘DNA’ of the devices. There are two core attributes of secure devices:

  • Over-the-air updates: Both firmware and applications require over-the-air (OTA) updates to patch vulnerabilities
  • Granular access control: Companies must ensure only the right people can make the right changes to the right devices, as encapsulated in the Triangle of Trust™. Sounding simple in theory, in practice, enforcing access control requires a well designed, scalable workflow.

Requiring a secure update process

A secure update process is a requirement for industry certifications, including IEC 62443-4-1, IEC 62443-4-2, and ISO 27001. An update process requires a toolchain integrated with hardware security.

Example: Heating Systems

Vaillant, pioneering technology for heating, cooling, and hot water, leverages a secure update process integrated with hardware security. For its heating systems, Vaillant set up an edge gateway with a secure update process from factory to the field. This device management process has a secure boot mechanism, provisioning of updates, certificates to authenticate devices back to the cloud service, and a security element on the gateway hardware. Multi-layer transport security (mTLS) integrates with the security element. A pre-authorized device can use the certificate, the security element, and an Open SSL engine to connect to cloud backend services and poll for OTA updates.

Example: Maritime cargo handling equipment

MacGregor, offering engineering solutions and services for handling marine cargoes and offshore loads, required a secure edge computer to run machine learning models for inference in conditional monitoring of cargo handling equipment. Security was the paramount concern for the project director in selecting a best-of-breed OTA update solution based on a security-by-design architecture to deploy its OS system and application updates.

Building a chain of trust

A chain of trust should link an individual device identity to the software deployed and operating on it. This chain of trust is critical to secure edge gateways.

With a chain of trust, an OTA update solution can leverage a hardware security module (HSM) or trusted platform module (TPM) to deploy updates. Integrated into the edge gateway, a HSM or TPM safeguards and manages device secrets and digital keys. The OTA integration with HSM or TPM enables encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions.

This tutorial describes the integration of an OTA updates solution with a secure element.

Managing secure bootstrapping

The combination of cryptographic attributes and individual device identity (a serial number) can define the authentication set representing a specific device and its authentication credentials. With this setup, an OTA update solution supports several authentication workflows based on the unique needs and requirements of specific devices or device groups. For example, device updates can be accepted on request, pre-authorized, or with mutual transport layer security (mTLS).

The authentication set verifies device credentials and obtains a token authorizing API access. For application purposes, this stage should provision additional credentials and certificates, for instance, communication certificates.

If a Public Key Infrastructure (PKI) is available, it authenticates the devices using certificates and CA signature verification. A PKI is the best implementation to automate bootstrapping and device credentials management.

Ensuring secure production

TPM attestation requests a certificate to cryptographically prove to a certificate authority (CA) that the key in the certificate request is protected by the TPM and trusted by the CA. Different types of keys work in the TPM implementation, such as an RSA or ECC (Elliptic Curve Cryptography) key. ECC keys are commonly used in embedded devices because they are more efficient for computation and space or memory usage. By using TPM attestation and an enrollment key, an OTA update solution can support the secure production of the update and remote deployment to the device. Establishing a trusted workflow between the hardware and the rest of the software stack ensures security in device production.

Each device can also be assigned a unique device identifier (DevID), a requirement of some industry standards, such as IEEE 802.1AR standard.

Increasing regulation and enforcing compliance

All industry sectors should improve the protection of their software supply chains and connected devices. The automotive industry needs improvement and has been steered so far to security compliance with standards such as WP.29, UNR R155, and ISO 26262.

Governments are in the process of strictly regulating the levels of cybersecurity resilience in IoT devices and operational technology (OT); all industries must take note and prepare now. In the US, the CyberEO signed by President Biden started the ball rolling in May 2021. As a result, the medical industry then received an updated FDA draft for premarket guidelines in April 2022 and the FDA Class 2 and Class 3 were upgraded with the pre-market guidelines on SBOMs and vulnerabilities in July 2022.

In September 2022, the European Commission published the Cyber Resilience Act. The Cyber Resilience Act will ensure device manufacturers work to improve the security of products with digital elements from the design and development phase to the ecosystem to the supply chain. It will also enhance the transparency of security properties of products that are digital. Implicit in this new regulation is the planning for secure manufacturing and OTA updates of connected digital products across their lifecycle. These guidelines also require specific cybersecurity measures for the supply chain, including a software bill of materials (SBOM). Vulnerabilities must be found and patched in software in fleets of connected devices.

Israeli cybersecurity specialist Cybellum predicts that as regulatory bodies become better at monitoring compliance, cybersecurity program adoption will increase. In turn, the world will become safer. But it will be an iterative process, a continuous process for security improvement as the hackers will find new ways to attack and penetrate.

Plan for secure device management with OTA

Cyber security threats require enterprises to plan for security by design in their connected products in the early product design phase. Setting up a toolchain around OTA update mechanism will enable secure and robust device management from the factory to field throughout the lifecycle.

During standard device management operations, a device requires the following management activities:

All these operations use the chain of trust built in the secure production and bootstrapping steps. When third-party Device Management Systems (DMSs) are in place, this step requires data propagation and synchronization using integrations and webhooks.

Set up a free trial of Mender enterprise for 12 months.

Then take a look at how Mender can help you enable secure device management.